Congress Intercepts “Data Pass”

Written by William I. Rothbard on Wednesday, April 20th, 2011

If you’ve been passing your Internet customers’ accounts to other online merchants, you’ve just been picked by Congress.

Late last year, S. 3386, the “Restore Online Shoppers’ Confidence Act,” sponsored by Senator Jay Rockefeller (known as “Rockefeller”), sailed through Congress. The measure, the capstone to an investigation by Rockefeller into consumer abuses in online upsells of negative option plans for membership clubs, codifies, for online transactions only (offline is unaffected), existing Visa/ MC restrictions on transfer of account data (“data pass”) between merchants. No longer will an online upseller legally be able to use pre-acquired account data.

While the statute arises from a club industry inquiry, it applies to the data pass and marketing practices of all online upsellers, and to negative option offers of all online merchants, not just upsellers. It:

Forbids an “initial merchant” to pass billing accounts, which it has used to charge a customer in an Internet-based sale, to an unaffiliated upseller, or “post-transaction third party seller,” for use in an Internet-based sale (data pass between corporate affiliates is still allowed)

Requires the post-transaction 3rd party seller to:

Disclose purchase terms before obtaining
billing data;

Disclose it is not affiliated with the initial
merchant; and

Obtain the full account number from the
consumer.

Requires the terms of all negative option offers by any type of seller to be disclosed before obtaining billing information.

In anticipation of Rockefeller, some online upsellers already had begun to abide by data pass restrictions, by having consumers reenter billing data. If you’re one who hasn’t, you need to do so now to be in compliance.

Unanticipated, because it was not in the bill earlier, is the requirement that a merchant disclose the terms of upsells and negative options (whether an initial sale or upsell) before getting the consumer’s billing information. This “late hour” amendment has the Federal Trade Commission’s fingerprints all over it. While prior law (and earlier versions of Rockefeller) had only required disclosure of terms “before sale” (before the consumer clicks and buys), the FTC favors the stricter “before billing information” standard and routinely places it in consent orders. This disclosure standard is now federal law for online sales under Rockefeller.

While the law is pretty clear, certain questions remain. Does the data pass ban apply to accounts that have been collected, for example, by an online lead generator, but not charged? May an online seller who receives account data that has not been charged use it without getting the account number from the customer again?

These and other questions will be sorted out as the agencies responsible for administering the law, the FTC and state Attorneys General, issue guidance and enforce it. It’s important they be answered, because violators will face substantial monetary penalties.